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AMENDMENTfS^ TO THE CLAIMS 

1, (currently amended): A method for generating a permission grant set for 
a code assembly received from a resource location, the method comprising; 

receiving a security policy specification defming a plurality of code groups, 
each code group being associated with a code-group permission set; 

receiving evidence associated with the code assembly; 

evaluating the evidence relative to the code groups to determine 
membership of the code assembly in two or more of the code groups; and 

generating the permission grant se t bas e d o n by merging two or more code- 
group permission sets, each code-group permission set of the two or more code- 
group peraiission sets being associated with a code group in which the code 
assembly is a member, 

2, (previously presented): The method of clahn 1 wherein the generating 
operation comprises: 

dynamically generating a code-group permission set based on permissions 
associated with the two or more code groups. 

3, (original): The method of claim 1 wherein the generating operation 
comprises: 

computing a logical set operation on code-group pemiission sets associated 
with the code groups in which the code assembly is a member to generate the 
permission grant set 
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4. (original): The method of claim 3 wherein the computing operation 
comprises: 

computing the logical set operation based on order values associated with 
the code groups. 

5. (original): The method of claim 1 wherein the generating operation 
comprises: 

computing a union of the code-group peraiission sets associated with code 
groups in which the code assembly is a member to generate the permission grant 
set. 

6. (original): The method of claim 1 wherein the security policy 
specification further defmes at least one wde group collection associated with the 
plurality of code groups and the generating operation comprises: 

selecting a code-group permission set associated with an individual code 
group of the code group collection in which the code assembly is a member to 
generate the permission grant set. 

7. (original): The method of claim 6 wherein the security policy 
specification defines the at least one code group collection as a code group 
hierarchy. 
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8- (original): The method of claim 6 furtlier comprising: 

an exclusive property associated with the single code group indicating that 

the code-group pemiission set associated with the single code group is to be 

selected to generate the permission grant set. 

9. (original): The method of claim 8 further comprising: 
an exclusive property associated with the single code group indicating that 
no code-group permission set associated with a code group existing below the 
single code group in a code group hierarchy is to be used to generate the 
permission grant set. 

10- (original): The method of claim 1 wherein the security policy 
specification further defines a policy level associated with tlie plurality of code 
groups, and the generating operation comprises: 

computing a union of the code-group permission sets associated with code 
groups in which the code assembly is a member to generate a policy-level 
pennission set; and 

generating the pennission grant set based on the policy-level permission set. 
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11. (original): The ine±od of claim 1 wherein the security policy 
2 Specification further defines at least one code group collection associated with the 
plurality of code groups and a policy level associated with the at least one code 
group collection, and the generating operation comprises: 

5 selecting a code-group permission set associated with an individual code 

6 group of the code group collection in which the code assembly is a member to 
generate a policy-level permission set; and 

B generating the permission grant set based on the policy-level permission set. 



12. (original): The method of claim 1 wherein the security policy 
specification further defines a plurality of policy levels, each policy level being 

12 associated with the plurality of code groups, and the generating operation 

13 comprises: 

14 selecting, for each policy level, a code-group permission set associated with 

15 an individual code group in the code groups of the policy level in which the code 

16 assembly is a member to generate a corresponding policy-level permission set; and 

17 merging the corresponding policy-level permission sets to generate the 

18 permission grant set. 



19 



20 13. (original): The method of claim 12 wherein the merging operation 

21 comprises: 

22 computing an intersection of the corresponding policy-level permission sets 

23 associated with each policy level . 
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14- (original): The method of claim 1 wherein the security policy 
specification further defines a plurality of policy levels, each policy level being 
associated with a plurality of code groups, and the generating operation comprises: 

computing, for each policy level, a union of the code-group permission sets 
associated with code groups of the policy level in which the code assembly is a 
member to generate a corresponding policy-level permission set; and 

merging the corresponding policy-level permission sets to generate the 
permission grant set. 

15. (original): The method of claim 14 wherein the merging operation 
comprises: 

computing an intersection of the corresponding policy-level permission sets 
associated with each policy level. 

16. (original): The method of claim 1 wherein the security policy 
specification further defines a plurality of ordered policy levels associated with the 
plurality of code groups, such that a first policy level defines a more restrictive 
security policy than a second policy level. 

17. (original): The method of claim 1 further comprising: 

extracting from the security policy specification a membership criterion for 
a code group in the plurality of code groups. 
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18. (original): The method of claim 17 wherein the evaluating operation 
comprises: 

extracting one or more trust characteristics from the evidence; 
evaluating the trust characteristics relative to the membership criterion; and 
identifying the code assembly as a member of the code group, if the one or 
more trust characteristics satisfy the membership criterion. 

19. (original); The method of claim 1 fiirther comprising: 

extracting from the security policy specification a code-group permission 
set for each code group in the plurality of code groups* 

20. (original); The method of claim 1 wherein the security policy 
specification further describes at least one code group hierarchy associated with 
the pluraUty of code groups, each code group collection including a parent code 
group, and further comprising; 

extracting from the security policy specification a definition of at least one 
child code group of the parent code group in the at least one code group collection. 

21. (original): The method of claim 20 wherein the evaluating operation 
comprises: 

determining whether the code assembly is a member of the parent code 
group; and 

determining whether the code assembly is a member of tlie at least one child 
code group, if the code assembly is a member of the parent code group. 
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I 22. (previously presented): The method of claim 1 further comprising: 

performing verification on the code assembly; 
3 detecting a verijBcation failure of the code assembly in the operatioti of 

performing verification; and 

determining based on the pemiission grant set whether the code assembly 
may be executed despite the verification failure. 

7 

8 23* (previously presented): The method of claun 1 furtiier comprising: 

9 determining based on the pennission grant set that a step of a verification 
la process is unnecessary; 

communicating to a verification module that the step of the verification 

12 process may be bypassed; 

13 perforaiing the verification process on the code assembly with the 

14 verification module; and 

15 bypassing the step of the verification process, responsive to the 

16 communicating operation. 
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24. (cuirently amended): A computer data signal embodied in a carrier 

2 wave by a computing system and encoding a computer program for executing a 

3 computer process generating a permission grant set for a code assembly received 
from a resource location, the computer process comprising: 

receiving a security policy specification defining a plurality of code groups, 
each code group being associated with a code-group permission set; 
receiving evidence associated with the code assembly; 
evaluating the evidence relative to the code groups to detemiine 
membership of the code assembly in two or more of the code groups; and 

generating the permission grant se t based on bv merging two or more code- 
group permission sets, each code-group permission set of the two or more code- 
group permission sets being associated with a code group in which the code 
assembly is a member. 
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25. (currently amended): A computer program storage medium readable by 
a computer system and encoding a computer program for executing a computer 
3 process generating a permission grant set for a code assembly received from a 

resource location, the computer process comprising; 
5 receiving a security policy specification defining a plurality of code groups, 

each code group being associated with a code-group permission set; 

7 receiving evidence associated with the code assembly; 

8 evaluating the evidence relative to the code groups to determine 

9 membership of the code assembly in two or more of the code groups; and 
generating the permission grant se t based o n by merging two or more code- 

n group permission sets, each code-group permission set of the two or more code- 

12 group permission sets being associated with a code group in which the code 

13 assembly is a member. 
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37. (cxuxently amended); A computer program product encoding a 
computer program for executing on a computer system a computer process for 
generating a permission grant set for a code assembly received from a resource 
location, the code assembly being associated with an evidence set, the computer 
process comprising; 

receiving a secxuity policy specification defining at least one code group 
collection having two or more code groups, each code group being associated with 
a code-group permission set; 

evaluating the evidence set relative to the code group collection to 
determine membership of the code assembly in two or more code groups of the 
code group collection; and 

generating the pennission grant se t baaed o n by merging two or more code- 
group permission sets, each code-group pennission set of the two or more code- 
group permission sets being associated with a code group in which the code 
assembly is a member. 

38. (original): The program product of claim 37 wherein the generating 
operation comprises: 

computing a union of the code-group permission sets associated with code 
groups of the code group collection in which the code assembly is a member to 
generate the permission grant set. 
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39. (original): The program product of claim 37 wherein the generating 
Operation comprises: 

selecting a code-group perniission set associated with an individual code 
group of the code group collection in which the code assembly is a member to 
generate the permission grant set 

40. (previously presented): The program product of claim 37 wherein the 
security policy specification further defines a plurality of policy levels associated 
with the two or more code groups, and the generating operation comprises: 

computing, for each policy level, a union of the code-group permission sets 
associated with code groups in which the code assembly is a member to generate a 
corresponding policy-level permission set; and 

generating the permission grant set based on the corresponding policy-level 
permission set of each policy level. 

41. (currently amended): The program product of claim 40 wherein the 
operation of generating the permission grant se t based on bv merging two or more 
code-group permission sets further comprises: 

computing an intersection of the corresponding policy-level permission sets 
associated with each policy leveL 
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42, (currently amended): The program product of claim 40 wherein the 
operation of generating the permission grant set-based-e n bv merging two or more 
code-group permission sets further comprises: 

computing an intersection of a subset of the corresponding policy-level 
permission sets. 

43, (original): The program product of claim 37 wherein the computer 
process further comprises: 

extracting fix)m the security policy specification a membership criterion for 
a code group in the plurality of code groups. 

44, (original): The program product of claim 43 wherein the evaluating 
operation comprises: 

extracting one or more trust characteristics from the evidence; 
evaluating the trust characteristics relative to the membership criterion; and 
identifying the code assembly as a member of the code group, if the trust 
chamctcristics satisfy the membership criterion, 

45* (previously presented): The program product of claim 37, wherein the 

computer process further comprises: 

caching the permission grant set in association with the evidence; and 
outputting the permission grant set in response to a subsequent receipt of 

the evidence without re-evaluating the evidence. 

46.-48. (canceled) 
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49. (original): A method of verifying a code assembly received from a 
resource location, the method comprising: 

receiving a security policy specification defining a security policy; 
receiving evidence associated with the code assembly; 
evaluating the evidence relative to the security policy; 
performing verification on the code assembly; 

detecting a verification failure of the code assembly in the operation of 
performing verification; and 

determining whether the code assembly may be executed despite the 
verification failure, responsive to the evaluating operation. 

50. (original); The method of claim 49 wherein the operation of receiving 
evidence comprises: 

receiving evidence associated with a class of the code assembly. 

51* (original): The method of claim 49 wherein the operation of receiving 
evidence comprises: 

receiving evidence associated with a module of the code assembly. 

52. (original): The method of claim 49 wherein the operation of receiving 
evidence comprises: 

receiving evidence associated with a method of the code assembly. 
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53. (previously presented): A method of verifying a code assembly 
received from a resource location, the method comprising: 

receiving a security policy specification defining a security policy; 

receiving evidence associated with the code assembly; 

evaluating the evidence relative to the security policy; 

generating a permission grant set, responsive to the evaluating operation; 

determining based on the permission grant set that a step of a verification 
process is unnecessary; 

communicating to a verification module that the step of the verification 
process may be bypassed; 

performing the verification process on the code assembly with the 
verification module; and 

bypassing the step of the verification process, responsive to the 
coroinunicating operation. 

54. (original): The method of claim 53 wherein the generating operation 
comprises; 

generating the permission grant set in association with a module of the code 
assembly, responsive to the evaluating operation. 

55- (original): The method of claim 53 wherein the generating operation 
comprises: 

generating the permission grant set in association with a class of the code 
assembly^ responsive to the evaluating operation. 
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1 56. (original): The method of claim 53 wherein the generating operation 

2 comprises: 

3 generating the permission grant set in association with a method of the code 

4 assembly, responsive to the evaluating operation. 
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